Debian released urgent security updates for multiple packages including Thunderbird and ImageMagick. The gdk-pixbuf library requires immediate attention because a validation error in its JPEG loader could lead to arbitrary code execution or denial of service. Other affected tools like gst-plugins-bad1.0 contain bugs that may allow attackers to process malformed media files for system compromise. Administrators should apply these fixes right away to secure their environments against exploitation.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS:
ELA-1683-1 gdk-pixbuf security update
ELA-1682-1 gst-plugins-bad1.0 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4531-1] gdk-pixbuf security update

Debian GNU/Linux 12 (Bookworm):
[DSA 6210-1] imagemagick security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6211-1] thunderbird security update

[SECURITY] [DLA 4531-1] gdk-pixbuf security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4531-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
April 14, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : gdk-pixbuf
Version : 2.42.2+dfsg-1+deb11u5
CVE ID : CVE-2026-5201
Debian Bug : 1132501

It was discovered that gdk-pixbuf, the GDK Pixbuf library, does not
properly validate color component counts in the JPEG image loader, which
may result in the execution of arbitrary code or denial of service if
specially crafted JPEG images are processed.

For Debian 11 bullseye, this problem has been fixed in version
2.42.2+dfsg-1+deb11u5.

We recommend that you upgrade your gdk-pixbuf packages.

For the detailed security status of gdk-pixbuf please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gdk-pixbuf

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1683-1 gdk-pixbuf security update

Package : gdk-pixbuf
Version : 2.36.5-2+deb9u5 (stretch), 2.38.1+dfsg-1+deb10u3 (buster)

Related CVEs :
CVE-2026-5201

It was discovered that gdk-pixbuf, the GDK Pixbuf library, does not
properly validate color component counts in the JPEG image loader, which
may result in the execution of arbitrary code or denial of service if
specially crafted JPEG images are processed.

ELA-1683-1 gdk-pixbuf security update

ELA-1682-1 gst-plugins-bad1.0 security update

Package : gst-plugins-bad1.0

Version : 1.10.4-1+deb9u7 (stretch), 1.14.4-1+deb10u7 (buster)

Related CVEs :
CVE-2026-2923
CVE-2026-3082

Multiple multiple vulnerabilities were discovered in plugins for the
GStreamer media framework and its codecs and demuxers, which may result
in denial of service or potentially the execution of arbitrary code if
a malformed media file is opened.

ELA-1682-1 gst-plugins-bad1.0 security update

[SECURITY] [DSA 6211-1] thunderbird security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6211-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 14, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2026-5731 CVE-2026-5732 CVE-2026-5734

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1:140.9.1esr-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 1:140.9.1esr-1~deb13u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6210-1] imagemagick security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6210-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 14, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : imagemagick
CVE ID : CVE-2026-25796 CVE-2026-25985 CVE-2026-26284 CVE-2026-26983
CVE-2026-28494 CVE-2026-28686 CVE-2026-28687 CVE-2026-28688
CVE-2026-28689 CVE-2026-28690 CVE-2026-28691 CVE-2026-28692
CVE-2026-28693 CVE-2026-30883 CVE-2026-30936 CVE-2026-30937
CVE-2026-31853 CVE-2026-32259 CVE-2026-32636 CVE-2026-33535
CVE-2026-33536

Multiple security vulnerabilities were discovered in imagemagick,
a software suite used for editing and manipulating digital images, which
could lead to symlink races, information leaks, denial of service
and potentially arbitrary code execution.

For the oldstable distribution (bookworm), these problems have been fixed
in version 8:6.9.11.60+dfsg-1.6+deb12u8.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/